What’s particularly interesting is that the Slammer worm has used at least five different pathways to get to its control system victims. In one case, it entered a petroleum control system via a maintenance laptop that was used at home, infected there and then brought into the plant. In another case, it contaminated a paper machine human/machine interface (HMI) via a dial-up modem employed for remote support. In a third case, it passed right through a poorly configured firewall. In a fourth case, it took advantage of a temporary internet connection set up by a contractor — involving a remote virtual private network for system maintenance —that bypassed the IT firewall. In all these examples, firewalls were in place but the worm either bypassed them or exploited some flaw in the firewall’s deployment.
Many chemical industry managers find the number and variety of pathways into their control systems hard to believe. However, this information has been corroborated both by the keynote presentation at the 2006 Process Control Security Forum (PCSF) and a 2007 ARC Advisory Group survey. The PCSF paper reported that at a large oil company 80% to 90% of all control networks were shown to be connected to the enterprise network, which, in turn, was hooked up to the Internet. ARC canvassed control engineers about the types of connections that their automation networks had to the outside world. Only 17.5% reported no connection. Indeed,
Figure 1. In 75 incidents from 2002 to 2006, attackers and viruses infiltrated via corporate networks most often but far from exclusively. Source: Industrial Security Incident Database, June 2006.
ARC found an extensive number of hookups:
- 47.5% to a company intranet/business network;
- 42.5% directly to the Internet;
- 35% to direct dial-up;
- 20% to wireless modems; and
- 8% with other connections.
Notice the percentages add up to far more than 100%, indicating that many control-system networks had multiple connections.
These secondary pathways can have a huge impact on plant security. An analysis of 75 control-system security incidents between 2002 and 2007 showed that more than half of the attacks came through secondary pathways such as dial-up connections, wireless systems and mobile devices (Figure 1).
Figure 2. Most chemical plants suffer from a wide variety of vulnerabilities.
This indicates that chemical companies are missing or at least failing to adequately secure numerous pathways into their control systems (Figure 2). Many are human pathways such as contractors’ laptops, USB drives and inappropriate employee behavior. Others are communications systems that aren’t based on the typical local area network technologies — e.g., serial and telephone connections to remote process equipment, modems and wireless systems.
The only solution is to conduct a thorough analysis of all pathways into the chemical process systems. Often this can result in some big surprises. A 2005 survey of a U.S. refinery that I directed uncovered 17 different pathways — site management had believed there was only one control-system-to-business link. Once a complete list has been compiled, each pathway should be analyzed for its potential security impact. Assuming “no hacker would use that pathway” isn’t a route to good security.